General

  • Target

    5c7433de6e2b0d06b40505b52833992e5f8548b44ab90de2fd26b57542413fb9

  • Size

    1.3MB

  • Sample

    231111-hch9zadd66

  • MD5

    0226771a6d4b8f27624111695818dac0

  • SHA1

    c651afa8827ba8f7182b7d311a02c33225b2a3d1

  • SHA256

    5c7433de6e2b0d06b40505b52833992e5f8548b44ab90de2fd26b57542413fb9

  • SHA512

    732f5b12a2248f553dbf6bc48031e2ca0a2695412271ba689c77b67512684e0ceacede5a48092d1f9d7e9bc1e71359b192b0c9d44c96246d43acbba21eeefc81

  • SSDEEP

    24576:6yD3OI4pYx8aegIsTCQGc96DREIHe2us/stRP8bsyHXzeNVx:B7OvEenQ5GTSIHis/sniJ36N

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

    • Target

      5c7433de6e2b0d06b40505b52833992e5f8548b44ab90de2fd26b57542413fb9

    • Size

      1.3MB

    • MD5

      0226771a6d4b8f27624111695818dac0

    • SHA1

      c651afa8827ba8f7182b7d311a02c33225b2a3d1

    • SHA256

      5c7433de6e2b0d06b40505b52833992e5f8548b44ab90de2fd26b57542413fb9

    • SHA512

      732f5b12a2248f553dbf6bc48031e2ca0a2695412271ba689c77b67512684e0ceacede5a48092d1f9d7e9bc1e71359b192b0c9d44c96246d43acbba21eeefc81

    • SSDEEP

      24576:6yD3OI4pYx8aegIsTCQGc96DREIHe2us/stRP8bsyHXzeNVx:B7OvEenQ5GTSIHis/sniJ36N

    • Detect Mystic stealer payload

    • Mystic

      Mystic is an infostealer written in C++.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks